The vulnerabilities

CSRF at /urlstorage you can make him change his URL without his interaction.

With only two these, it is nearly impossible we can achieve the goal.

Just a bit later, I found there is RPO (Relative Path Overwrite) vulnerability as well. RPO is a technique, we can overwrite a relative path. For details can be found here.

(Actually, this is not my first time with RPO, you can read my another writeup about it at here *written in Vietnamese, please use translator, it works well*, the interesting point is, I leveraged RPO to leak Oauth token by using @import instead of open-redirect)

So, by changing my URL to %0a{}%0a*{color:red} I would be able to trigger RPO.

So what could we do with these 3 pieces of the puzzle ? 🤔

Step 1: Get the flag token

If you are familiar with CSS, you’ll know about CSS Selector , so what if we leak href flag?token={...} by using this feature combining RPO.